A day after Adobe patched a serious security hole in its Reader and Acrobat programs, miscreants are flooding email inboxes with malware-tainted PDF files that try to remotely hijack vulnerable computers.
The malware, identified by Symantec researchers as Trojan.Pidief.A, is included in PDF files attached to a "fair number of …

COMMENTS

how to deal with the ru55ians

the only way to deal with a company like that (which openly breaks international laws like that and is basically just pure scum, but protected by politicians and bribes and bought favours etc), is to cut off the whole of russia.

the rest of the world should annex russia from the phone system until its politicians get their act together enough to play ball and stop the child porn hosts and other scams. or maybe just st petersburg.

under that sort of pressure they will break under the anger of fellow russians. i mean, im sure most people are honest and decent, but they need to sort it out and stop spoiling it for everyone.

its kind of like the argument about muslims sitting by and saying that most of them are innocent and peaceful, instead of taking upon themselves to oust their disruptive element, seeing as they have the closest ties and best ability to do so. (or any other religion etc)

i dont like spamware and trojans and phishing scams and having to spend hours virus checking and fixing my non-IT-literate-relative's computers. wouldnt it be much easier for someone to just cut the whole place off for a bit?

for example like the Russ1ans did to the australian bank website.

read this

http://economist.com/displaystory.cfm?story_id=9723768

ps. yeah i know the activists will get a bit moany if we cut off russias communications, but if what VeriSign say is true ("Every major trojan in the last year links to RBN") then I think we certainly need to do something drastic and extreme.

Anyone know the ip range for...

@Jesus Puncher

I know - lets run the possibility of totally disrupting a country's economy so that we can shut down something that we don't like.

Next, if that is done and works, lets cut off the communications links from Iraq, since they are still fighting back and objecting to being "liberated".

Then do the same to Iran, since they're not playing nice and are developing a nucular program.

Next stage would be spam nets - let's kill any ISP that allows its users to have infected machines.

Finally, lets get all the lies off the internet. Any website that contains lies designed to misrepresent the great and good truths of the world (democracy is perfect, Christianity is the one true faith, etc) should be banned!

Foxit Reader

What about other PDF readers?

I gave up using Adobe's slow and bloated reader a long time ago. I use Foxit Reader which is free and fires up in seconds. Does anyone know if this or other alternatives are affected by this exploit?

I'm tempted to add something to the effect of Reg readers not being stupid enough to open unsolicited attachments, but nobody's perfect, and the scammers are getting cleverer (naming the attachments things like "INVOICE.pdf").

Re: how to deal with the ru55ians

And just think how clean our inboxes would be if there was no spam coming from russia. Unfortunately we would all miss the "My name is ------- and I am from Russia, I would like to send you my pics and meet up for ....." "just send me your bank details so I can by a plane ticket to cum meet you" messages I get.

ISP IGNORANCE !

I think the solution to this is very simple - the debate about ISP's taking ownership of such problems has been an ongoing issue. The problem being the corporations supplying the detection software want the additional license money from the individuals - which is fair enough.

I think a similar scenario would have to be making guns legal in the UK and us having to purchase bullet proof vests, if we didn't purchase them then it would be our own fault for not doing so in the event of being shot.

It's a simple system to put in place but then again this may stop the authorities using the same tactic -

http://www.theregister.co.uk/2007/10/23/teutonic_trojan/

A scenario one organisation is considering against an ISP is that by allowing this type of attach to pass through their systems unchallenged they are effectively condoning the attack. Sanctioned by inaction.

Anyhow, the issue in my opinion isn't about individuals carrying out such attacks as in modern business you will do what you have to to survive - its about stopping them and removing the option.

I just love this situation

Here we have an ISP who, by popular knowledge, provides "bullet-proof hosting" to criminal organizations. Everyone knows it, it's practically flagged on Mappy with a great big sign, yet nothing is done about it.

I should hope that a truly working Russian police force would be tracking its users right now, checking each one of them to weed out any possible innocents, and nailing the real criminals to the wall.

Oh, sorry, I must have watched too many American cop stories. I forgot that the Russian mafia already owns the head cop in every district.

You get what you deserve

If you are STILL stupid enough to run closed-source software, you deserve whatever the hell you get. There is Open Source software available to do everything, nowadays (including reading and writing PDF documents). Knowing what I know, I'd sooner use a pencil and paper than closed-source software.

Any software whose Source Code has not been independently audited (i.e., by someone other than the vendor) should be considered potentially unsafe. Any software whose vendor is unwilling to supply the Source Code for audit should be considered actually dangerous. You wouldn't buy a cake without a list of ingredients and a breakdown of protein, fat and carbohydrates, would you? Would you stand for the manufacturer telling you it was none of your damned business what was in their cakes? Why the hell are you putting up with this sort of behaviour from software vendors?

IT buyers -- you're in a great position to do something about this. Demand the Source Code; and if your suppliers won't budge, then *you* budge. Tell them straight -- if other people are willing to show us their Source Code which does the same as what your program does, then it can't be *that* special. Harassed family members -- just give your granny Ubuntu or Mandriva and let her get on with surfing and e-mailing, and get your kids a games console (or maybe send them into the Big Blue Room to get some fresh air and exercise). Everybody -- write to your MP and demand that the vile practice of concealing Source Code from users be outlawed.

Cut off Russia? oh yeah...

2 They would cut off the west from their oil and gas in retaliation - £2/litre petrol anyone? No central heating this winter?

3 They managed for years as a super power with little telephonic communication with the west. Putin would just retrench back into Soviet style cold war politics.

4 Trojan sites moved to satellite countries - cut those off too? where do you stop? Some ex-Soviet satellites are members of the EU now; cut off all of Europe? How about China?

5 What about phone lines routed through Russia? Assume the Russians wouldn't tap into those or cut them off too? So that is about two-thirds of the world cut-off by now.

Why not cut off the US too, as they are the source of about 80% of spam?

If you want to cut-off anything (rather than your own nose to spite your face) why not persuade ISPs to block/label all emails with RBN's IP addresses in the header. That at least has the benefit of actually being possible - it's already being done for some IP addresses, by ISPs in the US and Europe.

@ AJ Stiles - caveat emptor

Let the buyer beware still apples, but this is based on the unvoiced "let the buyer be aware". Software is purchased by wonks in business organisations who DO NOT CARE or even bother to try to understand the distinction between open- and closed-source. The other category of purchaser is those who just want to get on t'internet to see PH's bedroom antics NOW! The remaining 0.00236% (us) understand your point and agree with you.

The correct economic incentive for purchasers in business organisations is to make the Purchasing Boss and all his team PERSONALLY liable for the cost of business disruption arsing from a published exploit.

@ Vladimir Plouzhnikov

An outstanding point Vladimir - why are we blaming individuals for defaults in the software?

If you leave your keys in your car and its stolen your insurance is void -

If it goes on fire through a manufacturing defect the manufacturer is liable -

If Microsoft or Adobe f**k up we have to buy the next version to resolve the problem fully or accept an update which throws something else out!!!!

Where does it say on the Microsoft or Adobe EULA

"The chances of this product being compromised is highly likely and any personal data stolen may bankrupt you. This is not our fault as we do make the effort to secure our systems"

Most shocking findings to date for me personally - Office 2007 is a patched locked down version of - Office 2003 which s a patched locked down version of - Office 2002 which s a patched locked down version of - Office 2007 which s a patched locked down version of - Office 97.

Same applies from Vista - XP - 2000 - NT

Yet they were bundled as new operating systems and priced accordingly.

Bottom line - you go for products from the big guys and get burnt - go cry elsewhere.

Not quite...

"BTW these viruses only work because of failings in the poorly written software such as Windows and Acrobat and those are not Russian."

No. They work because of 2 facts: 1) to err is human and 2) there are scum willing to exploit their fellow human beings. It could be any software exploited by any nationality so saying that any given problem is the specific fault of anyone is kinda unfair. 419'ers have been quite scummy without having to resort to exploiting faulty software. It's a human condition, and if we can't handle that we deserve to fail.

Instead we could have a bit more productive discussion by acknowledning the facts and then try to figure out which infrastructure to handle it. Here in Denmark we have something cooking that's beyond idiotic and far into dangerous: Digital Signature. One key to rule them all, banking, public services, real estates, mortgages - everything in one encryption key. I'm not participating. My PC is not and never will be secure enough to hold anything remotely like this. I'll live with a fragmented life and enjoy the fact that even though my credit card may be abused I still have a house to live in.

PostScript is a language ...

Correct me if I'm wrong but last time I looked, PDF is just a standardized markup language ... basically PostScript with comments and extra functions. PostScript is a stack-based programming language, albeit for typesetting (inc. displays). So PDFs have been always 'executed' by a PostScript/EPS/PDF engine, no?

@Gilbert

PDFs were /never/ non-executable

PDF is a derivative of postscript, which is a fully turing-complete interpreted language. They trimmed some of postscript's more egregriously risky features, like access to the i/o and filing systems, but it's always basically been that a PDF is an executable script.

Version?

@Glenn Gilbert

Linux -- and OpenSolaris -- users don't need no stinkin' Adobe Acrobat! We can just use kpdf (KDE), evince (GNOME) or xpdf. Both OpenOffice and kOffice can export PDF natively, and *any* application running under KDE or GNOME can "print" to a PostScript or PDF file.

You can probably even persuade some or all of the above to compile on a Mac.

Now, how about a campaign to educate the masses about alternative, Open Source PDF viewers? The statement "requires Acrobat Reader" which often accompanies PDFs on web sites is just flat-out untrue -- I can't see any difference between this, and an audio CD claiming on the box that it requires (for argument's sake) a Philips CD player to listen to it (which would be a breach of European competition law).

@everyone who @Jesus Puncher

graham t - "They would cut off the west from their oil and gas in retaliation - £2/litre petrol anyone? No central heating this winter?"

So, basically you're saying that the 150 million lost to scams is a kind of hidden tax or something that we pay to the russians for lower oil prices. And that is acceptable. That they allow us access to their oil, and we allow them access to our non-IT-savvy citizens bank accounts?

Its an interesting proposal, and way of looking at it, but it seems a little unfair to me, especially if youre not IT literate.

anon - "Nice, punish 140000000 people because a few of them publish malware."

Well, that's the point. Its not just a few of them publiching malware. By all accounts it a whole system that is embracing it and protecting it. So we need to attack / protect against the whole system. I agree with what Pascal Monett said..

Pascal Monett - "I should hope that a truly working Russian police force would be tracking its users right now"

Yeah ok. So maybe my suggestions are a bit ill thought through, but my point is that if the Russian authorities are protecting these people, then it is a political situation inwhich we have to fight more than just the monkeys writing the code. So no I dont think its a case of just closing the Russian Business Network is more a case of closing the Extended Russian Business Network.

@ Jesus Puncher

Re your quote: "its kind of like the argument about muslims sitting by and saying that most of them are innocent and peaceful, instead of taking upon themselves to oust their disruptive element, seeing as they have the closest ties and best ability to do so. (or any other religion etc)"

I don't see the Christians sorting out Bush or Blair (who continues to spread dissent and verbal malware throughout the world.)

Until then, I think it's unfair to blame the majority of the world's largest landmass for a couple of dodgy businesses who spread porn and viruses. Let's face it, at least Yeltsin was more fun when drunk.

@Vladimir Plouzhnikov

Quote you - "BTW these viruses only work because of failings in the poorly written software such as Windows and Acrobat and those are not Russian."

Yep. And people succumb to anthrax because of failings in the poorly written DNA.

It no more acceptable or blameless to attack someone with Trojans and Phising attacks than it is with Anthrax or Biopreparat. And in all cases who ever is doing these attacks should be stopped. Or are you saying that Russian Business Network is blameless in this because they didnt write the Windows and Acrobat code??????

Soyuz nerushimy respublik svobodnykh etc...

@ Steve

cut-off russia?

Funny that russia was threatened with denying their membership to the WTO over an MP3 selling site which was blocked by credit card companies etc. and yet here we have a known facilitator of criminal activity, and serious criminal activity at that, and nothing can be done?

shutting down

Funny that a dubious MP3 site leads to threats to refuse Russia into the WTO and possible sanctions, but what everyone says is a network involved in criminal activity, and pretty nasty activity at that, draws no heavy handed response, or any response at all it seems.

This in a week when Interpol co-ordinate raids on private file sharers.

Not just Adobe

I worked for a security software company a few years back and did a bit of auditing. We found at least one hole in our PDF handling code - basically the format rather lends itself to that kind of error.

I wouldn't be surprised if open source PDF interpreters like Ghostscript have similar problems - they're convoluted by nature and not exactly the place people tend to go delve.

@Jesus Puncher

Re: "you're saying that the 150 million lost to scams is a kind of hidden tax..." Errr, no. I am saying if you slap the Russian bear because one of its fleas bit you, be prepared to get a face full of claws. It's better to tackle the flea itself. 150 million? pah! an hours lost production if the gas is cut off. Try persuading the politicians that that sacrifice is worth making (x 24 x 365 x n). One wonders who would be the ones "cut off" Let's see, tighten up ISP security, or a new cold war and global recession? Hard choice. (unfortunately the politicians take the third choice - "do nothing")

This is not a third world Afghaniraqistan we're talking about. The West is in no position to cut off their phones - and as I pointed out, the internet doesn't work on PSTN dial-up - the internet backbone lines are separate from the phone system. (Quote "annex (sic) russia from the *phone* system...") so I'm not sure what it would acheive.

@Jesus Puncher

"It no more acceptable or blameless to attack someone with Trojans and Phising attacks than it is with Anthrax or Biopreparat. And in all cases who ever is doing these attacks should be stopped."

Yes, but your suggestion is equivalent to demanding imprisonment of all bioscientists in the world because one of them was suspected in making such anthrax attacks. You see, this ingenious approach to solving problems is why the US regime is being more and more detested by the rest of the world.

Cutting off your nose to spite your face

Even if one could isolate Russian IP addresses, the fact is that blocking Russian IP addresses will just stop you accidently viewing Russian web sites. For various reasons, the language barrier being just one, most of us don't do that very often.

Most of the email spam pumped out by these people is sent from botnets, many nodes of which are in your country (wherever you are) and possibly even your ISP. Email headers can be faked, and the only direct connection is the final hop from your ISP's mail servers to your own machine. You weren't thinking of blocking *them* were you?

No. I'm afraid that "dealing with the Ru55ians" is going to be harder than that.

Where is...

!. @ JP @Angela 2. @ Ken 3. @all discussing vulnerability

1. Straying off into religion / faith. Bush, Blair may or may not be driven by 'greed' (a term that may require further refinement); however, this does not mean that they are not also driven by their faith. They have both publicly declared that they are so driven. In my personal opinion people of faith who also seek political power need to demonstrate the intrellectual horsepower to *separate* the two - not combine them, as these 2 dangerous people have done.

3. Agree with AJ S when he writes: "The statement "requires Acrobat Reader" which often accompanies PDFs on web sites is just flat-out untrue"; however AJS's open-source advocacy (proselytising) needs also to be taken with a pinch of ('show the evalaution report!') salt.

RBN isn't the Russia

My, my, there is a lot of confusion here...

Steve: The address of the Russian Business Network is http://www.rbnnetwork.com/ - but I strongly discourage you from trying to block that from your hosts file. Hint: ping it to see what IP address it resolves to. (Anybody else - if you don't know what that IP means, don't mess with it, because you're going to cut off your connection to the Internet.)

Costa Mihalidis: Word (and Excel, and PowerPoint) documents are dangerous to open even if they do *not* contain macros. There are many exploits in these applications that allow the execution of malicious code even from macro-less documents.

Oh, and everybody: This is *not* an Acrobat exploit! Acrobat's only fault is allowing automatic execution of embedded URLs (instead of you having to click on them manually). The vulnerability is in Internet Explorer 7 on Windows XP machines. Acrobat is just an attack vector. Adobe patching it closes this attack vector - but the very same vulnerability can be exploited from other applications - Firefox (already patched), Skype (already patched), mIRC, Miranda, etc., etc. We're still waiting for Microsoft to patch the root of the problem. :-(

Anonymous Coward & Chris Ovenden: Foxit is vulnerable to this exploit too! The only difference is that Acrobat runs it automatically, while with Foxit you have to be tricked to click on an URL in the document.

Pascal Monett: The RBN does not break any Russian laws, so the Russian police cannot do anything about it. Only its *customers* break laws - and the police does what it can. While what the RBN does is certainly unethical, prosecuting them is no different than prosecuting the phone company for allowing some of its (probably criminal) customers to use encrypted mobile phone communications.

A J Stiles: Open source software for PDF viewing won't save you from this exploit, if you have IE7 installed on a WinXP machine.

Glenn Gilbert: This exploit is in IE7/WinXP - that's why there is no Acrobat update for Linux and Mac. The exploit doesn't work there.